- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Input filter returning null values
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi folks,
I'm building a dashboard with several multiple inputs, and i'm facing a trouble while filtering a field named "mensagem", because i want to display de null values, but when i use fillnull it generates a conflict between the search of the field "mensagem" and the fillnull command.
The querie i'm using below.
index="raw_internet" tipo="$tipo$" AND programa="$prgr$" AND codigo="$cder$" AND mensagem="$msgm$" AND servidor="$srvd$" AND codigoAcesso="$cdac$"| fillnull mensagem value="Nenhuma" | table _time, tipo, programa, mensagem, codigo, servidor
There's anyone there that can help me?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not believe that what you are describing can be true. I suspect the values are actually whitespace because it really doesn't make sense otherwise. If your search uses (and it does) AND mensagem="$msgm$", then there is NOTHING that can be passed in for token msgm that will allow events that do not have a value for field mensagem (i.e. "many [events with] null values") to return from the search because implied in that clause is the stipulation that field mensagem exists and has a value that is not NULL. You absolutely must be misinterpreting your search results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not believe that what you are describing can be true. I suspect the values are actually whitespace because it really doesn't make sense otherwise. If your search uses (and it does) AND mensagem="$msgm$", then there is NOTHING that can be passed in for token msgm that will allow events that do not have a value for field mensagem (i.e. "many [events with] null values") to return from the search because implied in that clause is the stipulation that field mensagem exists and has a value that is not NULL. You absolutely must be misinterpreting your search results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, if the values are whitespace how can i do the same thing? Instead of Null is whitespace? Can you send me one exemple? Sorry my english is far from perfect.
index="raw_internet" tipo="$tipo$" AND programa="$prgr$" AND codigo="$cder$" AND mensagem="$msgm$" AND servidor="$srvd$" AND codigoAcesso="$cdac$"| fillnull mensagem value="Nenhuma" | table _time, tipo, programa, mensagem, codigo, servidor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you are OK with the fact that your form, as it is written right now, will ALWAYS drop EVERY event that does not have a (non-NULL) value for each and every field that you are "filtering" (which I find VERY hard to believe), you can do it like this:
index="raw_internet" tipo="$tipo$" AND programa="$prgr$" AND codigo="$cder$" AND mensagem="$msgm$" AND servidor="$srvd$" AND codigoAcesso="$cdac$"| eval mensagem = if(match(mensagem, "^\s*$"), "Nenhuma", mensagem) | table _time, tipo, programa, mensagem, codigo, servidor
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks woodcock, i must be misusing something.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
